I've been watching the DShield block list.
"This list summarized the top 20 attacking class C (/24) subnets # over the last three days."
What I've found is that the list is updated several times a day, and that IPs on the list do not stay on, based on the number of attacks. Over several days, I've noticed that certain IPs are replaced by IPs that have a smaller number of attacks. No, it's not that the attacker is over 3 days old. An IP can show up in one day with 11,000 hits, and be replaced in a few hours by an IP with fewer than 1000.
So, if they are not based on the number of attacks, how are they determined as top 20 attackers? More importantly, is the block list working correctly?
If it's not working correctly, does anyone know of a better list out there?
Thanks,
Brent